SEKOIA observed all known DPRK-linked intrusion sets active in 2022, with Lazarus and Kimsuky receiving the most reporting and showing continued cyberespionage and revenue-focused operations. Lazarus, Bluenoroff, and Andariel were described as overlapping in mandates, with DreamJob supporting espionage against aerospace, defense, security researchers, and cryptocurrency targets, while AppleJeus and SnatchCrypto targeted cryptocurrency and fintech platforms or users. The activity relied heavily on social engineering through recruiter personas on LinkedIn, WhatsApp, Slack, and similar channels, alongside malicious documents, backdoored trading applications, Electron-based tools, Manuscrypt RAT delivery, and hosted payloads. The report highlights DPRK actors updating TTPs for stealth, including Kimsuky validation and geofencing mechanisms, C2 hosting on services such as Dropbox, GitHub, and Blogspot, and Lazarus use of BYOVD to deploy BLINDINGCAN. These campaigns matter because they connect DPRK strategic intelligence collection and sanctions-evasion financing to persistent targeting of defense, cryptocurrency, diplomacy, media, academia, and civil-society sectors.